Weak Cipher Suites Enabled

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
↓

Severity

Medium

CWE Name

Weak cipher suites enabled

CWE ID

CWE-326

CVSS Score

7.4

Compliance

OWASP TOP10 -> A2
PCI-DSS -> 4.1, 6.5.4
ISO27001 -> A.5.14, A.8.9, A.8.24

How to fix

generic
nginx
apache

To stop using weak cipher suites, you must configure your web server cipher suite list accordingly.
Ideally, as a general guideline, you should remove any cipher suite containing references to NULL, anonymous, export, DES, 3DES, RC4, and MD5 algorithms. Additionally, remove any cipher suite containing ciphers with less than 128 bit security. You should also remove any CBC ciphers, as CBC ciphers may be vulnerable to padding oracle attacks.
You should enable ECDHE and GCM cipher suites to ensure proper security. Please note that these modern ciphers are available in newer versions of TLS only. You will need to enable TLSv1.2 and above (for GCM cipher suites).
To achieve this, we propose a modern cipher suite, based on these recommendations:
TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
For most systems, changing TLS cipher suites, requires a change on the web server configuration file. Please refer to your web server documentation on how to do so.
To stop using weak cipher suites, you must configure your web server cipher suite list accordingly.
Ideally, as a general guideline, you should remove any cipher suite containing references to NULL, anonymous, export, DES, 3DES, RC4, and MD5 algorithms. Additionally, remove any cipher suite containing ciphers with less than 128 bit security. You should also remove any CBC ciphers, as CBC ciphers may be vulnerable to padding oracle attacks.
You should enable ECDHE and GCM cipher suites to ensure proper security. Please note that these modern ciphers are available in newer versions of TLS only. You will need to enable TLSv1.2 and above (for GCM cipher suites).
To achieve this, we propose a modern cipher suite, based on these recommendations:
TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
For NGINX, you can use the following snippet to enable the modern compatibility cipher suite. This will support TLS 1.2 and above only.
```
server { listen 443 ssl; ... ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ...}
```
To stop using weak cipher suites, you must configure your web server cipher suite list accordingly.
Ideally, as a general guideline, you should remove any cipher suite containing references to NULL, anonymous, export, DES, 3DES, RC4, and MD5 algorithms. Additionally, remove any cipher suite containing ciphers with less than 128 bit security. You should also remove any CBC ciphers, as CBC ciphers may be vulnerable to padding oracle attacks.
You should enable ECDHE and GCM cipher suites to ensure proper security. Please note that these modern ciphers are available in newer versions of TLS only. You will need to enable TLSv1.2 and above (for GCM cipher suites).
To achieve this, we propose a modern cipher suite, based on these recommendations:
TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
For the Apache server, the following snippet may be used to enable TLS 1.2+ and strong ciphers.
```
<VirtualHost *:443> ... SSLEngine on SSLProtocol -all +TLS1.2 +TLS1.3 SSLCipherSuite TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on SSLCompression off ...</VirtualHost>
```

This website uses cookies to provide you the best experience. For more information, read our Privacy Policy.

Weak Cipher Suites Enabled — Probely (2024)

FAQs

How do I fix weak cipher suites vulnerability? ›

How to fix. To stop using weak cipher suites, you must configure your web server cipher suite list accordingly. Ideally, as a general guideline, you should remove any cipher suite containing references to NULL, anonymous, export, DES, 3DES, RC4, and MD5 algorithms.

Read On ›

How do I disable weak ciphers on my website? ›

Disable specific ciphers and protocols- Version 16.2 (Build 37799) and above

In a text editor, open the following file: ...
Locate the two lines starting with “#server.ssl.disabled-protocols” and “#server.ssl.disabled-cipher-suites”
Remove the proceeding # sign to uncomment the lines and edit the list as needed.

More items...

Discover More Details ›

How to disable weak cipher suites in Java? ›

Disabling Weak Cipher Suites Globally Through Java

At a command prompt, access the java.security file: ...
Open the java.security file and locate the following parameter: ...
In this line, after =SSLv3 , add DES and DESede so that the line looks like this: ...
Verify that weak cipher suites have been disabled.

How do I disable weak ciphers on Windows Server? ›

Normally to disable weak ciphers on a Windows server you just run IISCrypto and disable the protocols that you don't want. Reboot the machine and they are no longer available.

See Details ›

What is the tool to disable cipher suites? ›

The Disable-TlsCipherSuite cmdlet disables a cipher suite. This cmdlet removes the cipher suite from the list of Transport Layer Security (TLS) protocol cipher suites for the computer.

Find Out More ›

How to check weak cipher suites? ›

You can use Wireshark or other packet analyzers to double-check whether the client or the server caused an issue, TLS client and server versions, and other cipher suite information. This can help analyze version mismatches and other issues.

Tell Me More ›

How do I find out what ciphers are used on a website? ›

Find the cipher using Chrome

Launch Chrome.
Enter the URL you wish to check in the browser.
Click on the ellipsis located on the top-right in the browser.
Select More tools > Developer tools > Security.
Look for the line "Connection...". This will describe the version of TLS or SSL used.

Mar 1, 2023

Show Me More ›

Which ciphers should be disabled? ›

Finally, there is the option for a “NULL” cipher, which simply means, the traffic should not be encrypted – so this option should definitely not be enabled. In short, you should disable known deprecated and discouraged ciphers, including DES, IDEA, 3DES, RC2, RC4, IDEA, ARIA, SEED, and NULL ciphers.

Explore More ›

How do I make my ciphers more secure? ›

One way to make a Caesar cipher a bit harder to break is to use different shifts at different positions in the message. For example, we could shift the first character by 25, the second by 14, the third by 17, and the fourth by 10.

How do I restrict cipher suites? ›

Cipher suites and edge certificates

After you subscribed to Advanced Certificate Manager for your domain, you can restrict Cipher Suites at the Zone-level requests via the API. Use the Edit zone setting Open API docs link endpoint, specifying ciphers as the setting name in the URI path.

Show Me More ›

How do I change cipher suites? ›

Configure allowed cipher suites

Do the following to specify the allowed cipher suites: Open regedit.exe and go to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002. Edit the Functions key, and set its value to the list of Cipher Suites that you want to allow.

Read The Full Story ›

How to check cipher suites in Java? ›

1- Download the CipherSuite. zip and extract the content in a temporal folder. 2- Using the terminal run the following command from the temporal folder. 3- The list of Ciphers will be displayed on the terminal.

See Details ›

How do I fix weak SSL ciphers? ›

Backup your ssl.conf. Connect to your server and make a copy of your ssl.conf incase you need to revert it: cp /etc/nginx/common/ssl.conf /etc/nginx/common/ssl.conf.backup.
Edit the ssl. conf and remove weak ciphers. ...
Ensure your changes persist. ...
Check and reload Nginx.

Feb 27, 2024

Get More Info Here ›

How to remove weak ciphers from SSH? ›

Solution

Log in to the instance using the ssh command.
Switch to a root user using the sudo su - command.
List the currently enabled ciphers by running the command sshd -T | grep -i 'cipher'.
Copy the list and remove the unwanted ciphers. ...
Make a backup of the file /etc/ssh/sshd_config by running the command:

More items...

How to remove weak ciphers from Tomcat? ›

What is Cipher?

Open this file for edit.
Look for this line in the server.xml file. <!– HTTPS Connector added by Automation API Installation –> ...
Add the following line to disable the weak ciphers: ciphers=”<Required ciphers List”/> For example, to disable the 3DES and RC4 ciphers, add the following: ...
Restart Tomcat server.

How do I disable weak ciphers in Azure? ›

Let's say, based from the list of supported TLS cipher suites, we would like to disable all the cipher suites that are weaker than TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA . In order to do this, we can call the Update Config API to set the property minTlsCipherSuite to TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA .

View Details ›

How to remove weak ciphers from Apache? ›

In Apache httpd ciphers are set in SSLCipherSuite directive. Ciphers are delimited by space or by semicolon (what ever you choose). To disable ciphers you need to add "exclamation mark" in front of cipher.

How do I enable support for recommended cipher suites? ›

Configure allowed cipher suites

Open regedit.exe and go to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002.
Edit the Functions key, and set its value to the list of Cipher Suites that you want to allow. ...
Restart the PVWA server.

Learn More ›

Weak Cipher Suites Enabled — Probely (2024)

FAQs

How do I fix weak cipher suites vulnerability? ›

How do I change cipher suites? ›